RFID projects: Implementation considerations, RFID security concerns

RFID projects can aid organisations in many ways, including improving physical security. Learn more in this tip from Michael Cobb.

It's generally common knowledge that, if security controls are too onerous or interfere too much with people's everyday work, employees will try and circumvent them or ignore them whenever they can. This is one reason why automatic identification, or auto ID, for short, is quickly gaining popularity: It offers convenience in security, identification and access control, particularly physical access control. Auto ID is often combined with automatic data capture to increase efficiency, reduce data entry errors and free up staff.

RFID technology can deliver a convenient hands-free access control and automated data capture solution with many advantages over traditional access control badges and systems.

Auto ID covers a variety of technologies, including barcodes, magnetic stripes, smartcards, radio frequency identification (RFID) and biometric technologies, such as voice recognition. RFID technology has been widely used in stock control, but its use is spreading to ID cards for personnel as well, as it has the advantage of contactless authentication, which is great for door access where hands-free operation is preferred or needed.

With systems such as barcodes, magnetic stripes and proximity readers, individuals must hold the badge against (or close to) the scanner, as these use line-of-sight technology. The readers can only read one badge at a time, and any embedded information cannot be dynamically changed.

RFID ID badges can be read from much farther distances than other traditional technologies and don't require the tag to be oriented in a particular way. Most systems have anti-collision capabilities, so they can read several tags at the same time. Badges come in various form factors, and can be clipped-on, or attached with a wristband or neck loop.

A typical RFID system consists of an RFID microchip with an antenna -- called a tag -- a reader with an antenna, and an access control server. If the system is using passive RFID tags, which have no battery, the reader sends out electromagnetic waves, which the tags' antennae are tuned to receive. The tags draw power from the magnetic field created by the reader and use this power to activate the microchip to send data back to the reader. An active RFID tag has its own battery power and so can periodically transmit the data stored on it to the RFID reader.

The RFID reader cross-references the tag's data within its own database or sends it wirelessly to the server. The read range depends on the frequency and type of tag. Some readers can cover a total area of up to 30,000 square feet. Wireless RFID scanners allow the readers to be relocated or repositioned as needs change.

The most common method of authentication using an RFID system is to store a serial number unique to the user, but tags can also be used to store biometric information, such as a photograph. CCTV can then compare an individual's face with the image stored on the RFID to authenticate someone at an unmanned entry point, or to regulate access depending on the time of day. RFIDs can also trigger CCTV cameras to capture unauthorised or authorised access in real-time, or when certain RFID events occur, such as someone tampering with an RFID badge.

Access information can be tied to data in Windows Active Directory or LDAP for user authentication, and therefore be synchronised to an authorised access scheme. As well as controlling access to restricted areas, RFID can easily track time and attendance, as well as employee and visitor location. By having a fully integrated access system, physical and logical access can be tightly controlled and comprehensive audit logs generated. For example, RFID logs can be used to check patrols by guards to ensure individuals complete them as per their rota. Also, in an emergency, a real-time map can show the location of key personnel.

RFID systems can easily be adapted to most environments that require restriction of access or movement of personnel. For employees, the big advantage is they are truly hands-free, eliminating the need to hold the badge or pass next to a scanner.

One problem with RFID technology relates to standards. RFID can use different frequencies, but the most common are low, high or UHF. There are standards for low- and high-frequency RFID systems, but most companies want to use UHF in the supply chain, because it offers a longer read range. However, many other types of devices use the UHF spectrum -- meaning their signals interfere with each other, so RFID readings become inaccurate or nonexistent -- and an accepted standard is still some way off.

There are also some RFID security concerns: It is possible for RFID tags to be read by unauthorised readers, accessing any personal information stored on them, for example where people are close together on a crowded train. Users can guard against this kind of 'skimming' by requiring passwords in order to access a tag’s memory or enforcing encryption between the tag and reader. In the US, the NIST standard FIPS 201 requires that RFID Personal Identity Verification cards be kept in a FIPS 201-approved, shielded badge holder, which prevents unauthorised reads.

RFID technology can deliver a convenient hands-free access control and automated data capture solution with many advantages over traditional access control badges and systems. It may sound a bit Big Brother, but it can be appropriate in critical or sensitive areas, particularly where a physical perimeter defence plays an important role. Like most technologies, RFID is developing quickly, and any RFID projects will require advice from an experienced vendor in order to select the right type of tag for specific environments and uses. The good news, however, is that, as the technology becomes more popular, it is also becoming more affordable.

About the author:
Michael Cobb, CISSP-ISSAP, CLAS is a renowned security author with more than 15 years of experience in the IT industry. He is the founder and managing director of Cobweb Applications, a consultancy that provides data security services delivering ISO 27001 solutions. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications.Cobb serves as SearchSecurity.com’s contributing expert for application and platform security topics, and has been a featured guest instructor for several of SearchSecurity.com’s Security School lessons.

Read more on Identity and access management products